Public production architecture teardown
Microsoft Sentinel on Azure
Azure-native managed SIEM built on Log Analytics Workspace (columnar Kusto storage) with KQL as the query language. Schema-on-read at the storage layer; zero-config ingest for Azure AD, Defender, Office 365; Logic Apps for response automation. The architecture is documented; the cost model is what bends the decision at scale.
Pay-as-you-go ingestion rate for the first 100 GB/day (Q1 2026 published pricing). Commitment tiers discount at higher volume. Cost includes ingestion, 90-day retention, and amortized query compute — schema-on-read query overhead is bundled into the per-GB rate.
The pipeline
-
Sources
Azure-native + 3rd party
Azure AD · Defender · O365 · CrowdStrike · Palo Alto
-
Ingest
Data connectors
Diagnostic Settings · API polling · syslog/CEF
-
Store
Log Analytics Workspace
Kusto columnar; 30–730 day retention
-
Detect
Analytics rules (KQL)
Scheduled queries; 5-min default cadence
-
Respond
Logic Apps playbooks
Email · ServiceNow · isolate endpoint · block IP
What composes, what’s brittle
- Query engine. Kusto — same engine as Azure Data Explorer.
- Schema-on-read. Nested JSON re-parsed on every query; cost amortized into $2.30/GB.
- E5 bundling. M365 E5 includes a 5 MB/user/day Sentinel data grant on Microsoft sources.
- Best fit. 80%+ Azure workloads, < 100 GB/day, no data engineering team.
- What's brittle. Cost at > 500 GB/day; KQL non-portable; 90-day retention wall.
- Migration tool. Microsoft-published SPL → KQL translator (~70–80% automated).
Sources: Microsoft Azure pricing page (Sentinel, Q1 2026) · Microsoft Learn "Log Analytics workspace overview" · Microsoft Learn migration guidance · Azure-Sentinel/Tools/RulesTranslators GitHub